Let me explain: if an exploit is found (and revealed) in a Game on the PSP, Sony will simply remove the game temporarily from the PSN Store, and it will be available again only if the game’s developers fix the issue. So the only people who will be able to benefit the exploit will be those who downloaded the game from the PSN Store before the exploit was made public. (unless you didn’t know, the PSPGo has no UMD drive, and therefore all games for this machine must be bought on the PSN)

Yep, that’s not cool, and it explains why Freeplay doesn’t want to make the recent hack of the PSP Go public (the exploit is still useful for hackers as it allows to run unsigned code on the PSPGo, and therefore analyze its firmware more precisely). It also explains why we should now be looking for vulnerabilities in the PSP Firmware (such as the laughman tiff exploit that led to chickHEN a few months ago) rather than games.

In this article I will explain how to monitor the PSP Menu with PSPLink. If you haven’t read my previous post on savegames exploits, I suggest you do it, as it is a nice introduction to PSP exploits. Disclaimer: I’m not the best PSPLink user in the world, so this article might be incomplete on some parts.

Setup

Imagine you have a file that crashes your PSP. It can be a video file, an mp3, an image, etc… (I will explain later how you can find or create these files). How would you tell if it can become an exploit or not? Well, as usual, the answer is clear: PSPLink.

PSPLink is a very usueful tool to analyze the Ram of the PSP. If you don’t have it yet, google for it. I personally have the version included with the minimalist PSPSDK.

PSPLink has two parts of interest for this: one that goes on the PSP (basically, an EBOOT, as most homebrews), and two executables that run on the PC (they will display the information sent by the PSP to the PC).

Once you have installed PSPLink on your PSP and plugged your PSP to your computer with a USB cable, open 2 command-line windows, in which you will run respectively usbhostfs_pc and pspsh.

When this is done, you can run the PSPLink EBOOT on your PSP. If everything goes well, pspsh on your computer will display “host0:/” and usbhostfs will say “Connected to Device”. It should look like this:

If you need more information on PSPLink, google for it.

Running the XMB/VSH

Now that’s the interesting part. If you’re a developer, you might know how to run your homebrews’ prx files from there. But how can you access the PSP Menu? Well that’s actually very easy, as you only need to type the two following commands in pspsh:

reset vsh

flash0:/vsh/module/vshmain.prx

And that’s it! Let me tell you, it is way easier than doing it for savegames, as no plugins are required.

Test your crash

When the crash occurs, pspsh should display the current state of the registers, and lots of useful information.

MIPS…

From here, what you need is MIPS assembly knowledge, and lots of patience. But I can’t teach you that :). For the basics, you can still read my article on Savegames, as we are looking for the exact same thing: a way to overwrite $ra

By the way, you need a hacked PSP to run PSPLink, so don’t try this on Official Firmwares.

Share

A message for gamers as the holiday season is here: Hey Folks, it is the shopping season and that means most of us will be buying gaming stuff in November and December. Wololo.net will be looking for the best deals and let you know about them. For example in July 2016, our twitter followers and mailing list subscribers were among the first to know about an Uncharted 4 Special edition deal for $19, a 75% discount at the time! Follow us on twitter to stay up to date. I also suggest to subscribe to our deals mailing list below for full deal updates. Note: this mailing list is mostly useful for people in the US.

@H@lo World: The most famous PNG library is called libpng, and it’s pretty much bug free nowadays. Sony are reportedly not using this lib, so they could have a bug in their own software, but it’s a bit unlikely (I mean, there’s always bugs, but it’s less likely to find one in PNG files than in other format maybe ?) You can have a look at the bug list of libpng to get inspiration: http://sourceforge.net/tracker/?group_id=5624&atid=105624

hi wololo, thanks for your help. If I changed one byte on png image, the psp said: The Data is Corrupted And the tiff exploit is patched on 6.10 And bmp images have no alpha layer. Is it possible to get an alpha layer in bmp images or is it possible to find an exploit in bmp somewhere else ?

hhm… I´m new here and I want to help hacking the psp. The article you gave me is very interesting. There is likely no bmp exploit I have seen. You said to focus on tiff images but the tiff exploit is patched of sony,isn´t it? The second thing is that I´ve searched for psplink but I haven´t yet found an download link. It would be great if you had an link for me. thanks

ONE tiff exploit was patched by Sony, it doesn’t mean that the library is safe, it probably still has bugs. Remember that the PSP was already hacked at least twice with 2 different tiff vulnerabilities.

That’s a weird question… If you find an exploit (user or kernel) and want to load a binary, you have to find a way to call sceioread. I don’t know exactly what register sceioread is expected to read from, but basically, assuming it’s $a1 (that’s an example), and your “ms0:/h.bin” text is at address 08800000 (again, just as an example, this assumes that you put that stuff somewhere in memory), then you have to manage to put 08800000 into $a1 and then call sceioread. To get more insight on this, look for “sparta sdk” on google, this is probably the best example you will get on how to do that.

Hi.wololo I´ve found a good tiff image but how exactly I create an butteroverflow on tiff? 🙁 Is there a programm or should I change the bytes with the Hex Editor that I´ve done with the whole picture, but there was no buffer overflow. I´ll be happy if there is a TUT or something else. See you

there are thousands of ways and the only limit is your imagination. Another way is to look at the source code of libraries used by the PSP such as the libtiff and the libungif in order to find vulnerabilities in there. Or you can also decompile the PSP firmware and look for bugs in it. Or you can randomly hexedit a file, etc…

I have a question, although sony may have patched the tiff exploit that was used in chickhen would it be possible that the exploit could still work on say firmware 6.00, given that you can try to view it on psp filer through hbl and then install cfw given that the exploit puts the psp in a homebrew state and you could install cfw from it!?

i have found a glitch in the xmb on 6.00, if you proxy your psp to your computer and reroute the updatelist file it uses to check if updates have been made to an updatelist file thats older on your pc and download the update, when you press x to run the update it will show the xmb but you cant move around and it will still give you the option to run the update, you can only browse the xmb when you press o. i was wondering if anything could happen out of this or if its nothing more than a glitch

Archives

Disclaimer: Wololo.net is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com